Mailing List Archive: Looking for Hints: Best Practices to PUSH prefix-list on MX platform with 16.x and UP

Looking for Hints: Best Practices to PUSH prefix-list on MX platform with 16.x and UP

Aug 12, 2021, 11:41 AM

Post #1 of 5 (983 views)

Context

    I'm looking for a *simple* & safe way to manage daily IRR changes
from my customers...

    Right now its a simple script that push changes using command lines
thru SSH...

    While it is working adequately, I wonder how long it will be
feasible =D with the current growth.

Solution

    As for there REST API, I remember someone having some issues where
the RE keep rebooting and took down their entire OP for a few hours...

    . Anyone can testify on the solidity of their RESTful API?

    . Should we bump up the production version to something newer?

    PS: Security wise we're fine, anything related to management is
tightly pinned to a OOB with MFA and high encryption =D.

    Thanks for your time.

--

-----
Alain Hebert ahebert@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: Looking for Hints: Best Practices to PUSH prefix-list on MX platform with 16.x and UP [ In reply to ]

juniper-nsp at puck

Aug 12, 2021, 4:44 PM

Post #2 of 5 (982 views)

Permalink

I've done this with perl scripts and the Juniper NETCONF libraries. I
make the changes inside a configuration group which is inherited into
the actual prefix-list(s), then lock down the account so it is only
able to make changes to that configuration group.

groups {
AUTO-PREFIX-LIST {
policy-options {
prefix-list AUTO-FOO {
...
prefix-list AUTO-BAR {
...
prefix-list AUTO-BAZ {
...
system {
login {
class AUTO-PREFIX-LIST {
permissions [ configure view view-configuration ];
allow-commands junoscript;
allow-configuration "(groups AUTO-PREFIX-LIST policy-options .*)";

On Thu, Aug 12, 2021 at 02:41:10PM -0400, Alain Hebert via juniper-nsp wrote:
> Context
>
> ??? I'm looking for a *simple* & safe way to manage daily IRR changes
> from my customers...
>
> ??? Right now its a simple script that push changes using command lines
> thru SSH...
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: Looking for Hints: Best Practices to PUSH prefix-list on MX platform with 16.x and UP [ In reply to ]

juniper-nsp at puck

Aug 13, 2021, 1:44 AM

Post #3 of 5 (982 views)

Permalink

You could have something like this:

groups {
IRR {
...
}
}

Then always generate complete new prefix lists in NMS into a single file.

And have script do:

edit groups
delete IRR
load merge https://nms/irr.junos
commit and-quit

On Thu, 12 Aug 2021 at 21:47, Alain Hebert via juniper-nsp
<juniper-nsp@puck.nether.net> wrote:
>
> Context
>
> I'm looking for a *simple* & safe way to manage daily IRR changes
> from my customers...
>
> Right now its a simple script that push changes using command lines
> thru SSH...
>
> While it is working adequately, I wonder how long it will be
> feasible =D with the current growth.
>
>
> Solution
>
> As for there REST API, I remember someone having some issues where
> the RE keep rebooting and took down their entire OP for a few hours...
>
> . Anyone can testify on the solidity of their RESTful API?
>
> . Should we bump up the production version to something newer?
>
> PS: Security wise we're fine, anything related to management is
> tightly pinned to a OOB with MFA and high encryption =D.
>
>
> Thanks for your time.
>
> --
>
> -----
> Alain Hebert ahebert@pubnix.net
> PubNIX Inc.
> 50 boul. St-Charles
> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: Looking for Hints: Best Practices to PUSH prefix-list on MX platform with 16.x and UP [ In reply to ]

juniper-nsp at puck

Aug 13, 2021, 2:31 AM

Post #4 of 5 (982 views)

Permalink

? 13 August 2021 11:44 +03, Saku Ytti via juniper-nsp:

> You could have something like this:
>
> groups {
> IRR {
> ...
> }
> }
>
> Then always generate complete new prefix lists in NMS into a single file.
>
> And have script do:
>
> edit groups
> delete IRR
> load merge https://nms/irr.junos
> commit and-quit

To tighten a bit:

edit groups
delete IRR
edit IRR
load merge relative https://nms/irr.junos
commit and-quit
--
It is often the case that the man who can't tell a lie thinks he is the best
judge of one.
-- Mark Twain, "Pudd'nhead Wilson's Calendar"
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: Looking for Hints: Best Practices to PUSH prefix-list on MX platform with 16.x and UP [ In reply to ]

juniper-nsp at puck

Aug 13, 2021, 2:56 AM

Post #5 of 5 (982 views)

Permalink

hey,

Or just use "load replace https://nms/irr.junos" && commit with new file
having:

groups {
replace: IRR {
...
}
}

--
tarko
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp